Rödl & Partner (Rödl), a global professional services firm, has been named as a defendant alongside Payone GmbH, a payment service provider, in a data breach case currently being litigated in the UK courts.
It has been confirmed that Payone and Rödl are accused of losing physical documents pertaining to sensitive personal data belonging to a former employee, including information such as salary, date of birth, National Insurance Number, Nationality, address, and other confidential financial details. This incident highlights the potential risks associated with data breaches and the importance of robust data protection measures.
ICO Reprimand
Payone GmbH has previously been reprimanded by the UK’s Information Commissioner’s Office (ICO) for the same data breach and inadequate handling of a subject access request.
In a letter dated July 2021, the ICO outlined specific shortcomings in Payone’s data protection practices. The regulator criticized the company for failing to keep personal data secure, resulting in it being sent to an incorrect address.
Additionally, the ICO found that Payone’s response to a subject access request was insufficient. The company’s search for the individual’s data was deemed inadequate, and its attempt to justify this by citing German data protection law was rejected.
The ICO emphasized the importance of conducting thorough searches for personal data and redacting third-party information where necessary. Payone has been instructed to rectify these issues and improve its data protection practices.
Payone one were deemed to have breached Article 5(1)(f) of the UK GDPR.
Payone’s “Heads Up” Before a Data Breach Ignited ICO Reprimand
The ICO’s rebuke of Payone wasn’t entirely unexpected. The catalyst for the data regulator’s intervention was a remarkably insensitive email sent by Payone a copy of which is downloadable here:
This email, from Payone’s Director of Data Protection, attempted to downplay the blunder by framing it as a “potential” issue. It acknowledged sending a registered letter containing the individual’s sensitive data (including salary details and NI number) to an incorrect address, but offered little in the way of apology or concrete steps to mitigate the risk.
The email further highlighted Payone’s negligence by stating that the error “had not been noticed despite control measures.” This admission exposed a fundamental weakness in their data security practices.
The notification from Payone to the affected individual referenced ‘further documents provided by Rödl & Partner“.
The ICO’s 2021 investigation might have viewed Payone’s email as a symptom of a larger problem – perhaps a cavalier attitude towards data protection obligations. This, coupled with the individual’s subsequent subject access request and Payone’s inadequate response, sealed the company’s fate and resulted in the ICO’s rebuke.
Payone then went on to again send incorrect employee data to the Workers Pension Trust (WPT) in 2022, leading to the WPT sending online pension login data to the wrong address. They learned little from the 2021 ICO rebuke.
What is Personal Data?
Rödl & Partner’s Data Security Failures Under the Spotlight
Rödl & Partner, a key defendant in the UK data breach allegations involving Payone, is set to appear in the UK court in January 2024. The firm is facing scrutiny for its role in the incident. As Payone seeks to have their own role in the case dismissed, Rödl & Partner’s involvement is not under the same strike out application.
Beyond their involvement in the Payone case, Rödl & Partner has recently been implicated in a significant data breach affecting their US subsidiary. This incident, which came to light in August 2024, resulted in the exposure of sensitive personal information, including Social Security numbers, of individuals linked to Jamestown, LP and JT Tax Services.
The data breach at Rödl Management and the UK case (albeit entirely denied by Roedl) highlights the broader issue of data security within the Roedl Group and is likely to raise concerns about the firm’s commitment to protecting sensitive information.
By failing to prioritize data security, organizations can expose themselves to significant legal, financial, and reputational risks.
As the legal landscape surrounding data privacy continues to evolve, it is imperative for organizations like Rödl & Partner to adapt their security practices to meet the challenges of the digital age. This includes implementing robust security measures, conducting regular security audits, and responding promptly and transparently to data breaches. By taking these steps, organizations can mitigate the risks associated with cyberattacks and protect the privacy of their customers and employees.
Payone’s Application to be Removed from the Case
It is important to note that Payone has filed an application dated 18 March 2024, seeking to be removed from the case. This application will be heard publicly and with the principles of open justice in mind, in January 2025. Roedl have made no similar application to date. The details of the hearing is downloadable here:
The outcome of this case might have implications for businesses operating within scope of the UK GDPR, particularly those handling sensitive personal data. It may lead to increased scrutiny of data protection practices and increased liability for organizations that fail to adequately protect personal data. Payone and Rodl deny all UK related allegations.
Limited Statements from Parties Involved
Further details are expected to emerge as the case progresses through the UK court system, particularly during the upcoming application hearing and potential future court filings. Loopline Media reserves the right to publish any comments received from the parties mentioned in this article.
The claim number for this case is H45YJ3 14.